The Federal Public Ministry (‘MPF’) in the state of São Paulo announced, on 7 May 2018, that the Federal Court in São Paulo (‘the Court’) had issued a decision ordering Microsoft Informatica Ltda. to adopt specific procedures within 30 days in order to adjust its Windows 10 operating system to provide users with an easy way to opt-out from providing personal data and pay a minimum fine of BRL 10 million (approx. €2,360,000) (‘the Decision’), following a lawsuit filed by the MPF.

Caio César Carvalho Lima, Partner at Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados, told DataGuidance, ”The approach of the Court is important because it forces the provider to facilitate data subjects in selecting what type of data they choose to share. We are starting to see Brazilian Courts enforcing laws relating to privacy and data protection in more decisions. Given that this is only a preliminary decision, the approach of the Court can be seen as particularly relevant in helping to create a culture of data protection in Brazil.”

The MPF alleged that the current software installation and upgrade options allowed Microsoft to collect users’ personal data without their consent and without providing clear information on its collection, use, storage and processing, and was therefore, a violation of Brazilian Law, in particular, Articles 7 and 8 of the Brazilian Internet Legal Framework (Federal Law No. 12.965 of 23 April 2014), Article 6 of the Consumer Protection Code 1990 and the constitutional right to privacy.

Making the opt-out process as simple as possible is a good way of [allowing] users to select the data they would like to share

Carvalho Lima continued, ”In order for the Decision to be implemented, Microsoft will need to develop a version of Windows 10 specifically for Brazil, which at first glance does not appear to be a quick and easy task, hence there are some doubts as to the feasibility of the measure. [Nonetheless], since we are talking about a system that is used by a lot of people with varying levels of technological knowledge, making the opt-out process as simple as possible is a good way of [allowing] users to select the data they would like to share.”

[…]

Carvalho Lima concluded, ”Companies should make sure that they are compliant with the applicable laws by understanding the full life cycle of data, including its collection, use, storage, and distribution. [Furthermore], companies should also be aware of the main draft bills on data protection, particularly Executive Bill No. 5276/16 Regarding the Processing of Personal Data in Order to Guarantee the Free Development of the Personality and Dignity of Natural Persons, which was inspired by the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and may further impact companies’ compliance [procedures].”